The carve-out rule was added in an attempt to use the Bring Your Own Fees strategy using CPFP. An implementation of a new commitment format for this purpose has been worked on and it is suggested that the special case rule should be relaxed a little to avoid adding a 1 CSV to all outputs which would also require changing HTLC scripts to add the CSV delay. Instead, it is recommended that the last transaction added to a package of dependent transactions in the mempool should have no more than one unconfirmed parent. This may allow an attacker to exceed the MAX_PACKAGE_VIRTUAL_SIZE limit in some cases but it is unclear if this poses a problem with the current mempool acceptance code in bitcoind. There have been several changes to the acceptance code and eviction policy since the limit was first introduced. Rusty Russell suggests a simplified RBF where you can replace if the feerate is higher, the new tx is in the first 4Msipa of mempool, and the old tx isn't. Though it allows 100k of free tx spam, it is simple and could be further restricted by marking the unilateral close somehow to say "gonna be pushed" and further limiting the child tx weight.